Compiling GnuPG for Windows
Thank you, guys, for your input. Apparently, GnuPG is not suitable for use in my environment. (And not just because I am unable to compile it on my machine. Bugs, annoyances, wrong documentation, incompatibilities...) I already wasted three weeks trying to make it work according to my needs and it is time to admit to myself that it is just not going to happen. I guess I'm stuck with PGP for now. Too bad that it no longer works on 64-bit Windows, so I am forced to run in on an emulated WinXP machine, which is a major inconvenience. :-( Or I might try to compile a 32-bit version of PGP... Way back when I was involved in the development, we made sure that the sources compiled and ran correctly on pretty much everything (even VAX/VMS!), so it ought not to be a huge problem. Regards, Vesselin ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Broken ECDSA in gnupg 2.0.23
On Sat, 21 Jun 2014 15:14, anatol.pomo...@gmail.com said: The libgcrypt functions such as gcry_pk_map_name() return GCRY_PK_ECC instead of GCRY_PK_ECDSA. So I modified gnupg 2.0.23 sources with this patch: Thanks. Applied. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: mascot_p
- Message from MFPA 2014-667rhzu3dc-lists-gro...@riseup.net on snip... Some animal that hides stuff? A squirrel? Or just a nice animal, OK, that rules out a squirrel: it is essentially a rat with good PR. (-; Perhaps it's just PR, but they seem to live in better neighborhoods--e.g., trees, wooded areas rather than sewers. ;-)___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
[Announce] [security fix] GnuPG 1.4.17 released
Hello! We are pleased to announce the availability of a new stable GnuPG-1 release: Version 1.4.17. This release includes a *security fix* to stop a possible DoS using garbled compressed data packets which can be used to put gpg into an infinite loop. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility, smartcard support and is compliant with the OpenPGP Internet standard as described by RFC-4880. GnuPG is distributed under the terms of the GNU General Public License (GPLv3+). Note that this version is from the GnuPG-1 series and thus smaller than those from the GnuPG-2 series, easier to build, and also better portable to ancient platforms. In contrast to GnuPG-2 (e.g version 2.0.23) it comes with no support for S/MIME, Secure Shell, or other tools useful for desktop environments. Fortunately you may install both versions alongside on the same system without any conflict. What's New === * Avoid DoS due to garbled compressed data packets. * Screen keyserver reponses to avoid import of unwanted keys by rogue servers. * Add hash algorithms to the sig records of the colon output. * More specific reason codes for INV_RECP status. * Fixes for PC/SC access on Apple. * Minor bug fixes. Getting the Software First of all, decide whether you really need GnuPG version 1.4.x - most users are better off with the modern GnuPG 2.0.x version. Then follow the instructions found at https://www.gnupg.org/download/ or read on: GnuPG 1.4.17 may be downloaded from one of the GnuPG mirror sites or direct from ftp://ftp.gnupg.org/gcrypt/ . The list of mirrors can be found at https://www.gnupg.org/mirrors.html . Note, that GnuPG is not available at ftp.gnu.org. On ftp.gnupg.org and on its mirrors you should find the following new files in the *gnupg* directory: - The GnuPG source code compressed using BZIP2 and its OpenPGP signature: gnupg-1.4.17.tar.bz2 (3563k) gnupg-1.4.17.tar.bz2.sig - The GnuPG source code compressed using GZIP and its OpenPGP signature: gnupg-1.4.17.tar.gz (4929k) gnupg-1.4.17.tar.gz.sig - A patch file to upgrade a 1.4.16 GnuPG source tree. This patch does not include updates of the language files. gnupg-1.4.16-1.4.17.diff.bz2 (21k) Select one of them. To shorten the download time, you probably want to get the BZIP2 compressed file. Please try another mirror if exceptional your mirror is not yet up to date. In the *binary* directory, you should find these files: - GnuPG compiled for Microsoft Windows and its OpenPGP signature. This is a command line only version; the source files are the same as above. gnupg-w32cli-1.4.17.exe (1574k) gnupg-w32cli-1.4.17.exe.sig Note, that this is a minimal installer and unless you are only in need for the simple the gpg binary, you are better off using the full featured installer at https://www.gpg4win.org . Checking the Integrity == In order to check that the version of GnuPG which you are going to install is an original and unmodified one, you can do it in one of the following ways: * If you already have a trusted version of GnuPG installed, you can simply check the supplied signature. For example to check the signature of the file gnupg-1.4.17.tar.bz2 you would use this command: gpg --verify gnupg-1.4.17.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. Note, that you can retrieve the signing key using the command finger wk ,at' g10code.com | gpg --import or using a keyserver like gpg --recv-key 4F25E3B6 The distribution key 4F25E3B6 is signed by the well known key 1E42B367. If you get an key expired message, you should retrieve a fresh copy as the expiration date might have been prolonged. NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION! * If you are not able to use an old version of GnuPG, you have to verify the SHA-1 checksum. Assuming you downloaded the file gnupg-1.4.17.tar.bz2, you would run the sha1sum command like this: sha1sum gnupg-1.4.17.tar.bz2 and check that the output matches the first line from the following list: 830c7f749ad92d6577c521addea5e5d920128d42 gnupg-1.4.17.tar.bz2 d5b3c25901f182ea20c31f09669f44681c3aaa89 gnupg-1.4.17.tar.gz ff761de4efc3876c57199612c24b677208da7c10 gnupg-1.4.16-1.4.17.diff.bz2 b2f0db9eebf028d27d0a119334e5e357773dd0d6
Re: [Announce] [security fix] GnuPG 1.4.17 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/23/2014 06:21 PM, Werner Koch wrote: Hello! Hi * Avoid DoS due to garbled compressed data packets. Is this CVE-2013-4402 as fixed in 2.0.22 or a new bug? - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - History doesn't repeat itself, but it does rhyme. (Mark Twain) -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTqGGaAAoJEPw7F94F4TagB9QP/A7k8kme286jAOPSS4YICIe0 vQ2e61azu08Ljf5g0F5ws6I7frgjBtYRpu6bDECUCC0PZ9206Blc9koLGUqfZlcQ s37s32N5igYuOVa5B6d0/RdxCt2O/b+I0YJn6fm1rqpeQD5cqWfXQeU8DCZWBU75 /tnasqMoWh/zjNNlzdgEF/2pe1QO6QHRJ/gd11VxEyr7xlAu2DawQEkv5f4fey6M r+GcTuG/VyX99POX1yjjFPnXsps/uMX5yXIqgxUKO6fsA+ckbrRtH4Da6eT/Qgxg +dOUVVvdYC9b8d/JHBFvo2Vr9m/csR1oFNxnQpD/mdot8wBNYXukKFkGuBrxjpxv bL5rkaI3ooOosb0AuE3j2NDO+3PaeRRPA1cQrB6R4c99/TAVn/bbJssqoqgAVTVg amFMdj6CWXfm0YT4OK0eSv7zP3fUolPf6SE5Ha7XDQbZ9QSKdTgPuQNa70gGnC80 62zRvL4Y4rPZR/A9NB5rz3gcbpcW3uCvsm/NmD5noeKLlfSneTZCu/bitjPG/qpG 0xeU28s3+2sf5rtJ0tRQ8g4mrzAJxVMDFNeqdPKhHQGqLJ4UWURousGhwBZeguZK EP/gvKnzxRB70J8o+BJJzOUFCvqUOh49bzbDDIVx1fZ5rEU3UoizjosWCr1m9DH3 SrE5yDwDH7jXYdilU8XD =CHCN -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 1.4.17 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 06/23/2014 07:19 PM, Kristian Fiskerstrand wrote: On 06/23/2014 06:21 PM, Werner Koch wrote: Hello! Hi * Avoid DoS due to garbled compressed data packets. Is this CVE-2013-4402 as fixed in 2.0.22 or a new bug? Nevermind, I notice the git commit comment. Has a CVE been requested for this already or should I ask for one? - -- - Kristian Fiskerstrand Blog: http://blog.sumptuouscapital.com Twitter: @krifisk - Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 - Aut dosce, aut disce, aut discede Either teach, or study, or leave -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTqGI0AAoJEPw7F94F4Tagzw4P/0dlzt4V+aPvfjfsVDcPKJbT yMl/W9oeeVofC1T3FkH+k0aQ0M66w/9PcU+pEYgLN0xXUuyqMVn/lodgEFFkU9dG xSvAWJeBXu6YU30WsdQJD+KGUT38YrdnKqGm0vYPh0OtteJA0JfUdZxD3VlY1Ah4 l0+vLikjLkbPKV6Lnc9E+5N9iqHhLV4/+XGFqF0DueQiRD3bhZ2p5rOwHe7WQ86m Y+NMUemDO8qCsEcs3Llpc3bR2sbnovPEE22M7OTGrKMG77/VPAxTfZVyjEZ+SeY+ ff6Vlb80eaMPS8DjJdaSLCSEkiW90cA+uzjCAa1/uMWJ03IX4EWiqqbqHu9fn1rE MZmRTaqc7hhFbdXhYaLIBWCWACWMV9ysZGW/7geJj6JGCE0O2YY8hZ1kRXL+Hkuw hM42BauUErBcgmTD3ywhkQYkwXbK+P86golxUXzey5EpM+89Yg8noeQYWp4TwWlO D14emnaCNJZvmQBXjFnmxEseEQV7K/ib0m9nHkS5y2GxYWmEfg9gilbGd6ZDOEDQ hxzCYmPQjTxlrZYpEKjG46NeH79I/FAAvuXfijnthlGiwny5brfY1vgOLl9o0hQ/ 1FobHe9figvcnd7z1/8WJrv+Zp/9ef6df3TZ55Gcxf0FtITdTzCUANuqksZYIDH0 Xt0Rv62WzTed4ufaQlSG =9GtQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compiling GnuPG for Windows
Apparently, GnuPG is not suitable for use in my environment. (And not just because I am unable to compile it on my machine. Bugs, annoyances, wrong documentation, incompatibilities...) We would appreciate it if you would list the bugs, annoyances, documentation errors, and incompatibilities you found. Or even just some of them. We'd like to fix them. I guess I'm stuck with PGP for now. Too bad that it no longer works on 64-bit Windows, so I am forced to run in on an emulated WinXP machine, which is a major inconvenience. :-( I've seen PGP 10.x running on 64-bit Windows in WOW64 mode. You may want to consider going that route. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Announce] [security fix] GnuPG 1.4.17 released
Hi, Version info: gnupg 1.4.17 Configured for: Darwin (x86_64-apple-darwin13.2.0) Thanks, Charly 0x15E4F2EA OS X OS X 10.9.3 (13D65) gpg (GnuPG) 1.4.17 TB 24.6.0 Enigmail version 1.7.a1pre 2014/04/06 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Compiling GnuPG for Windows
On 6/23/2014 1:26 AM, Dr. Vesselin Bontchev wrote: Thank you, guys, for your input. Apparently, GnuPG is not suitable for use in my environment. (And not just because I am unable to compile it on my machine. Out of curiosity, why do you believe that you need to compile it? Doug ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
riseup.net OpenPGP Best Practices article
Hi all, An OpenPGP Best Practices article from riseup.net has been doing the rounds today. Quite a lot of good info, especially regarding key strength and expiry, and digest preferences. https://help.riseup.net/en/gpg-best-practices Cheers, Fraser ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
GnuPG 2.1.0-beta442: t-timestuff.c:118: test 17 failed
On OpenBSD 5.3 i386 one test fails: t-timestuff.c:118: test 17 failed FAIL: t-timestuff This patch (hack?) fixes it for me (local timezone is PDT). --- t-timestuff.c- Mon Jun 23 19:33:25 2014 +++ t-timestuff.c Mon Jun 23 19:33:38 2014 @@ -146,6 +146,7 @@ (void)argc; (void)argv; + setenv(TZ, UTC, 1); tzset(); test_timegm (); return 0; ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
